A note for reading 'Practical Malware Analysis', Chapter 0
* Chapter 0
The Goals of Malware Analysis: Providing the information we need to respond to a network intrusion.
Malware analysis can be used to develop host-based and network signatures.
Host-based signatures
They are used to detect malicious code on victim computers.
Malware indicators focus on what the malware does to a system rather than the characteristics of the malware itself.
Network signatures
They are used to detect malicious code by monitoring network traffic.
Signatures created with the help of malware analysis are usually far more effective, offering a higher detection rate and fewer false positives.
Malware Analysis Techniques
Basic Static Analysis
Examining the executable file without viewing the actual instructions.Basic Dynamic Analysis
Running the malware and observing its behavior on the system in order to remove the infection, produce effective signatures, or both.Advanced Static Analysis
Advanced static analysis consists of reverse-engineering the malware’s internals by loading the executable into a disassembler and looking at the program instructions in order to discover what the program does.Advanced Dynamic Analysis
Advanced dynamic analysis uses a debugger to examine the internal state of a running malicious executable.
Types of Malware
- Backdoor
- Botnet
- Downloader
- Information-stealing malware: sniffers, password hash grabbers, keyloggers
- Launcher
- Rootkit
- Scareware
- Spam-sending malware
- Worm or virus
Malware can also be classified based on the target scale. e.g. Mass malware, targeted malware.
Targeted malware is a bigger threat than mass malware.